Critical Infrastructure Incidents Increased in 2015: ICS-CERT

A total of 295 incidents involvingcritical infrastructure in the U.S.were reported to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in the fiscal year 2015, compared to 245 in the previous year.

Statistics provided by ICS-CERT for 2015 show that one-third of the incidents impacted the critical manufacturing sector, which in 2014 accounted for 27 percent of incidents.

The increase was the result of a spear-phishing campaign launched by an advanced persistent threat (APT) actor against organizations in critical manufacturing and other sectors. The attacker, believed to be the threat group known as APT3, exploited a zero-day vulnerability in Adobe Flash Player (CVE-2015-3113) in its operations.

In 2014, the same actor launched a reconnaissance operation in which it used social engineering tactics to trick the employees of the targeted organizations into handing over valuable information, ICS-CERT said.

The energy sector, which in 2014 accounted for 32 percent of critical infrastructure incidents, reported only 46 incidents in 2015, which represents 16 percent of the total. Incidents were also reported in sectors such as water (25), transportation systems (23), government facilities (18), healthcare (14) and communications (13).

ICS-CERT said it responded to a significant number of incidents involving improperly configured infrastructure where ICS networks were connected to corporate networks and even directly to the Internet.

While in more than one-third of cases investigators could not determine the infection vector used by the attackers, more than 100 incidents involved spear phishing.

The number of reports regarding network scans and probes by external parties decreased by more than 50 percent in 2015 compared to the previous year. However, ICS-CERT noted that this trend could mean organizations are becoming better at handling such low-level issues on their own, and not necessarily a drop in the frequency of scanning and probing attempts.

On one hand, ICS-CERT has found that in 69 percent of incidents there had been no evidence that the attackers successfully breached the targeted organization, compared to 49 percent in 2014. On the other hand, the agency pointed out that the number of successful intrusions into control system environments increased from 9 percent in 2014 to 12 percent in 2015. In 12 percent of cases there was indication that the attackers gained access to the target’s business network.

ICS-CERT’s report is based on information from asset owners, the Information Sharing and Analysis Center (ISAC), third-parties and researchers, and US government sources. However, the agency noted that not everyone shares incident reports.

Recent events in Ukraine, where malware attacks resulted in massive power outages, have demonstrated the damage a malicious cyber actor can cause if it gains access to critical infrastructure systems. The attacks in Ukraine involved BlackEnergy malware and they have been blamed on Russia, although there is no solid evidence to support the allegations.

Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.